Conventional methods of routing packets between a gateway and an endpoint implement architectures such as Internet Protocol Security (IPSec) and Point-to-Point Tunneling Protocol (PPTP) virtual private network (VPN) architectures. These types of architectures typically provide layer-2 network access by creating a point-to-point network-layer tunnel between a remote endpoint and VPN gateway. Providing access at this layer provides support for routing network traffic originating either from the endpoint or from the gateway. The endpoint receives an internal network address representation and, once connected to the VPN gateway, the endpoint is treated as a virtual internal resource.
Typically, implementing these architectures provides a user of an endpoint with maximum functionality, at the cost of security to a private network and protected resources behind the gateway. One security risk resulting from implementation of conventional methods is a consequence of the typical requirement for modifying a routing table on the endpoint to reflect connectivity to the private network behind the VPN gateway. The modification of the routing table provides the endpoint with information about the private network that may be manipulated to propagate worm-virus hybrids, Trojan viruses, and malicious, unauthorized access to the protected resources.
Conventional implementations of a VPN gateway provide functionality at the low-level kernel layer. However, the kernel layer typically lacks the ability to increase security by accessing information regarding which applications generated network packets and applying security policies to packets based on the identified applications. Additionally, traditional VPN endpoints rely on unsecured kernel routing processes to identify packets that constitute security risks, and may rely upon secondary or tertiary packet inspection to identify malicious data, increasing network level latency.
Conventional VPN gateways create a Virtual Network Interface on the remote endpoint. This interface is a logical hardware interface and may be used to create a network routing table entry within the network kernel space on the endpoint to enable delivery of network traffic. In conventional implementations, the network routing table entry, and the information it provides to the endpoint about the private network, increases security risks to the private network. Furthermore, during the routing of the packets for inspection, the packet is susceptible to alteration and misuse by third-party software or malicious users. A method of providing a VPN solution that permits trusted two-way communication between a gateway and an endpoint, without modifying the endpoint routing table or creating a Virtual Network Interface would be desirable.